3Com MSR 50 Series Configuration Manual page 1841

Configuration procedure
On the CA server, complete the following configuration:
1 Configure a CA server named myca.
In this example, you need to configure theses basic attributes on the CA server at
first:
Nickname: Name of the trusted CA.
■
Subject DN: DN information of the CA, including the Common Name (CN),
■
Organization Unit (OU), Organization (O), and Country (C).
The other attributes may be left using the default values.
2 Configure extended attributes
After configuring the basic attributes, you need to perform configuration on the
jurisdiction configuration page of the CA server. This includes selecting the proper
extension profiles, enabling the SCEP autovetting function, and adding the IP
address list for SCEP autovetting.
3 Configure the CRL publishing behavior
After completing the above configuration, you need to perform CRL related
configurations. In this example, select the local CRL publishing mode of HTTP and
set the HTTP URL to http://4.4.4.133:447/myca.crl.
After the above configuration, make sure that the system clock of the device is
synchronous to that of the CA, allowing the device to request certificates and
retrieve CRLs properly.
On the router, perform the following configurations:
1 Configure the entity name space
# Configure the entity name as aaa and the common name as router.
<Router> system-view
[Router] pki entity aaa
[Router-pki-entity-aaa] common-name router
[Router-pki-entity-aaa] quit
2 Configure the PKI domain
# Create PKI domain torsa and enter its view.
[Router] pki domain torsa
# Configure the name of the trusted CA as myca.
[Router-pki-domain-torsa] ca identifier myca
# Configure the URL of the enrollment server in the format of
http://host:port/Issuing Jurisdiction ID, where Issuing Jurisdiction ID is a
hexadecimal string generated on the CA server.
PKI Configuration Examples 1841